back to article No big deal... Kremlin hackers 'jumped air-gapped networks' to pwn US power utilities

The US Department of Homeland Security is once again accusing Russian government hackers of penetrating America's critical infrastructure. Uncle Sam's finest reckon Moscow's agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off …

Page:

  1. tip pc Bronze badge

    More detail please

    Would love to read more detail on how they exploited the air gapped systems, I assume from Russia.

    1. diodesign (Written by Reg staff) Silver badge

      Re: More detail please

      There is no more detail right now – just a strategic exclusive briefing by Homeland Sec officials with the WSJ.

      [ Edit: There's more detail here ]

      Presumably the equipment suppliers have access to the utilities' networks so they can provide remote support. That's one way in. The other way is to hack vendors, infect devices, wait for them to be shipped to power plants. Phone home, somehow.

      Relevant bits from the Journal:

      "The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, 'air-gapped' or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.

      "The cyber-attack, which surfaced in the U.S. in the spring of 2016 and continued throughout 2017, exploited relationships that utilities have with vendors who have special access to update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order.

      "The attackers began by using conventional tools—spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.

      "Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks."

      C.

      1. Jack of Shadows Silver badge

        Re: More detail please

        Tried and true technique and exactly my approach. Remember Target?

        1. John Smith 19 Gold badge

          "Tried and true technique and exactly my approach. Remember Target?"

          I was thinking "Isn't this exactly how STUXNET was infected into the Iranian nuclear programme?

          Who thought US companies would be so dumb to fall for this?*

          *Kidding. If a nation state started laying explosives around the infrastructure of another nation state this would be called an act of war. It is time alien code running on strategic servers was viewed in the same way.

      2. DougS Silver badge

        Re: More detail please

        Probably the same way those attacks always seem to go. Either the system is only air gapped 99% of the time (i.e. they have to temporarily connect it for vendor service/diagnosis) or they use USB devices as their sneakernet medium. Yes, it would be stupid to have autorun enabled on those air gapped machines, but often you see TERRIBLE security settings on air gapped machines because "they're safe from hackers, so why bother?"

        1. hammarbtyp Silver badge

          Re: More detail please

          You don't need autorun. With enough resources you can compromise the USB key itself to attack the system, for example by looking like a USB keyboard

          1. DougS Silver badge

            Re: More detail please

            With enough resources you can compromise the USB key itself to attack the system

            Don't you need to modify hardware to do that? If it is even theoretically possible for software to remotely hack a USB flash storage device connected to a standard PC to make it act like a keyboard when connected to a different standard PC, color me shocked (and I'd like a link, please)

            If you can leave USB keys laying around the parking lot and they're dumb enough to use that in the air gapped system, then they probably have so many other security failures you don't need this attack. If you're able to do a black bag job and break in to swap out the USB keys they use on the air gapped systems with one that's been modified, then you might as well just go directly to the air gapped system and do what you please.

            1. usbac

              Re: More detail please

              @DougS,

              There was a research paper a while back where they were able to re-program the microcontroller in some USB flash drives to turn them into a keyboard emulator.

              What do you know, it was on El Reg...

              https://www.theregister.co.uk/2014/07/31/black_hat_hackers_drive_truck_through_hole_in_usb_security/

              1. Unoriginal Handle

                Re: More detail please

                https://malduino.com/

            2. DCFusor Silver badge

              Re: More detail please

              https://www.bunniestudios.com/blog/?p=3554

              Here's your link, other Doug. Bunnie and Xobs figured out how long ago, but didn't go too far into the black hat part so as to stay out of jail. But if you know computers, and know that USB sticks and SD cards can indeed be programmed with the right code (knocking sequence) then the rest follows.

      3. Peter Gathercole Silver badge

        Re: More detail please

        Um. If somebody/anybody has remote access to a network, then it is not "air-gapped".

        A properly air-gapped environment has absolutely no communications connections with any other environment, and is completely self-contained in one location.

        Anything else should probably be described as "firewalled" (assuming that there are firewalls in place!)

      4. Laura Kerr
        Mushroom

        Re: More detail please

        Hang on a tick. You could try crossing an air-gapped network by infecting a software package destined for it before it's taken across the gap, but then what?

        Basic security (granted, that's a bit of an assumption) would require that you check everything coming in from outside, even a vendor's network. A simple checksum calculation would show if a package has been tampered with. For that to pass, the correct checksum would have to be replaced by that of the compromised package.

        OK, that might be achievable. But once you've installed your malware, how do you pass commands to it?

        TBH, this reads like Cold War reds under the bed. Time to set up camp at Greenham Common again?

        1. hammarbtyp Silver badge

          Re: More detail please

          asic security (granted, that's a bit of an assumption) would require that you check everything coming in from outside, even a vendor's network. A simple checksum calculation would show if a package has been tampered with. For that to pass, the correct checksum would have to be replaced by that of the compromised package.

          A simple checksum would be easy to spoof, but if checksum was HMAC'd or encrypted, then less so

          1. Claptrap314 Bronze badge

            Re: More detail please

            I upvoted this, but I'm assuming that the poster meant "a cryptographically secure checksum".

            1. Laura Kerr

              Re: More detail please

              She did.

      5. jmch Silver badge

        Re: More detail please

        I noticed this.... BUT

        "We're told, and can well believe, that the equipment makers and suppliers have special access into the utilities' networks in order to provide remote around-the-clock support and patch deployment"

        So... not air-gapped then if suppliers could log in to provide remote support?

      6. magickmark

        Re: More detail please

        Ok try this:

        Infect vendors networks

        Conntect Laptop to network

        Laptop infected

        Take laptop on service call to air gaped network & plugin

        Air gaped network infected

        Malware delivers payload/slurps info

        Passed info back to laptop

        Take laptop back to vendor and plug into network

        Data sent home

        Simples?

    2. Christian Berger Silver badge

      It's most likely a combination of the following...

      Gaining access to unrelated systems in order to know about the social graph of the target.

      You then use that information to pose as a trusted partner, e.g. the vendor of the software, and send "updates" or office documents with which you can infiltrate the system.

      This can be done via e-mail or, depending on the typical way software updates are distributed, postal mail. If your vendor sends you software updates via mail, sending a fake update which looks the same as a real one won't raise any suspicion and it will be installed.

      BTW probably _all_ secret services do that kind of thing.

    3. veti Silver badge

      Re: More detail please

      You can always read up on Stuxnet, which did exactly this. The Russians' approach might be similar. Or it might be completely different, they've got the skills.

      1. Red Bren
        Mushroom

        Re: More detail please

        Yeah, but they used to be commies and they're probably still commies really so they're the bad guys and they were infecting US computers with malware and everyone knows that is an ACT OF WAR.

        Stuxnet was just a prank that got a little out of hand but it didn't do any harm and even if it did those eye-ranians are bad guys and they deserved it and they were going to attack us so we retaliated in self defence first.

    4. Robert Carnegie Silver badge

      How?

      Two words: power lines.

      two more words: Carrington event.

      By manipulating sunspots and the solar wind, Russian scientists were able to signal to the power company computer systems... but why would they even need to, if they can do the first thing!

    5. Anonymous Coward
      Anonymous Coward

      Re: More detail please

      Throw one switch, blow the whole cover...this is just hype.

  2. Flocke Kroes Silver badge

    What are they waiting for

    Clearly it is time for the US to team up with fancy bear and properly secure banks, voting machines and nuclear missile launch controls.

    1. rmason Silver badge

      Re: What are they waiting for

      The US will have their NSA equivalent (or whichever agency it is).

      They will know how to properly secure such things. No one will ask them, no one will listen to their answers if they do.

      It'll be too expensive to implement. I.E any cost higher than the current one.

    2. Rich 11 Silver badge

      Re: What are they waiting for

      I'm sure Vladimir proposed this at Helsinki and Donald was only too happy to agree.

      1. Version 1.0 Silver badge

        Re: What are they waiting for

        "Hi Donald, good to see you again - here's a USB stick with all the information on Hillary that I promised"

        "Thanks Vladimir I'll check it out as soon as I get back to the WH - we'll keep this just between ourselves"

        1. stiine Bronze badge
          Gimp

          Re: What are they waiting for

          And you think the KGB didn't stick that Easy Button in their microwave for 10 minutes before giving it back?

    3. Voland's right hand Silver badge

      Re: What are they waiting for

      BBbbbbut sir...

      What about all the k1dd13 college funds, pensions, retirement boats and timeshares in the Caribbean?

      If the networks are properly secured and there is no more Red Bear threat there will be no jobs for the people who draft these announcements.

      On a more serious note, this is more believable than the usual crap fed by the 3 letters to the press including the air-gapped story. While the networks are air-gapped at the utility, they quite often have remote out-of-band or private network access from the vendor which is supposed to be accessing it from an air gapped machine. Quite clearly they do not. That is believable (same as using vendors as a vector).

      1. DougS Silver badge

        Re: What are they waiting for

        I'll bet some of these "air gapped" systems have a modem or possibly a leased line connected to a private network (the beancounter says "air gapped from the internet is good enough, right?")

        Air gapped systems still need to be supported, which implies something gets access to them at some point. You could say "fine, everything that touches them has to be air gapped" but that's reductio ad absurdum.

        A vendor creates a software update, intending to deliver it to the air gapped customer systems. How do they get that software update off their non-gapped developer machines onto an air gapped system in a 100% secure manner. Answer: you can't. They'd have to have 100% air gapped developer machines, which is totally infeasible.

        Another issue is that too many will assume that because systems are air gapped, they're secure by default and thus don't need to be locked down, don't need good passwords, don't need patching, etc.

      2. Anonymous Coward
        Anonymous Coward

        Re: What are they waiting for

        On a more serious note, this is more believable than the usual crap fed by the 3 letters to the press including the air-gapped story.

        I'm unconvinced. First there's a logic flaw that all if there's all these holes in SCADA systems, why do they need this remote access yet without fixing the flaws, particularly when the TLAs are telling them there's all these issues? Second, we've been told for years that Iran/Norks/ISIS et al have staggeringly capable state sponsored hackers. If all the holes are there, and there are adversaries who don't see any downside, why haven't they been exploited? Even for the usual state sponsored nasties (Russia/China/Israel) there would be the potential for "fun" false flag attacks.

        More Chicken Little shit from the TLAs, in my view. Which isn't to say that there are no problems with SCADA, merely that the current "news" is deliberate attempts to create a moral panic to justify some bureaucrat's job, or some commercially preferred course of action.

        1. Anonymous Coward
          Anonymous Coward

          Re: What are they waiting for

          I'm unconvinced. First there's a logic flaw that all if there's all these holes in SCADA systems, why do they need this remote access yet without fixing the flaws, particularly when the TLAs are telling them there's all these issues?

          =============================================================================

          Do you really want to start messing around with the PDP-11 assembler code that controls a running nuclear power plant? Years after the person who understood all the issues and wrote it retired and/or died?

          Some things, if working properly, should not be changed.

          If you want to know how old the hardware and software at a nuclear plant may be, look at how long ago the first of that model/submodel of reactor powered up, then add a few years for testing, certification of hardware and software, retesting, etc.

          I suspect that the more critical the system, the older the hardware and software is likely to be. There is a reason the space shuttles were run by 286s, generations obsolete in the outside world.

          1. John Smith 19 Gold badge
            Unhappy

            There is a reason the space shuttles were run by 286s,

            Actually they ran a military version of an IBM 360 architecture called the 4Pi (lots of stuff running on it were related to navigation, spheres of Earth, etc). Made of discrete (military grade) TTL chips

    4. Anonymous Coward
      Anonymous Coward

      Re: What are they waiting for

      Fancy bear don't like who runs your Banks or have you already forgotten?

  3. Chris G Silver badge

    Special access

    So access that is 'special' doesn't count in a not really airgapped system?

    Either it has an air gap or it doesn't, remote access no matter how 'special' by definition cannot be an air gap.

    General: "Okay, this is all out nukular war, launch a strike"

    Minion pressing big red button: " Erm the button doesn't seem to be working Sir.

    General: "I said launch a strike....... anyone got a box of matches?

    1. Anonymous Coward
      Anonymous Coward

      Re: Special access

      I would assume it's two machines on something like GSM modems that allow access to the control system in emergencies. If it was me I'd also put a 5 second delay when the modem picks up, wrap the them in foil and put a sticker on them saying beware of the budgie, that's why I don't work with control systems.

    2. Steve Evans

      Re: Special access

      In a world of off-site support, putting a complex device behind a real air-gap is not going to be popular.

      So unless the bean-counters are going to splash the cash for on-site expertise (preferably not a gentleman called Ivan), security will be compromised.

  4. _LC_
    Megaphone

    Kremlin hackers broke my bicycle

    I found it with a flat tire today. The door to the cellar was closed. I assume the Russians must've jumped the air-gap via the window. Those devils!

    1. Dave 126 Silver badge

      Re: Kremlin hackers broke my bicycle

      You didn't explicitly state your bicycle was in the cellar when you found it with a flat tyre. I can't assume you didn't leave it chained up outside your house.

      Even if it was stored in your cellar, the Russians could have used a needle when you popped into the corner shop the previous day to give you a slow puncture that takes time to manifest.

      1. _LC_

        Re: Kremlin hackers broke my bicycle

        And here I was, thinking that only the North Koreans would be THAT mean. :-(

  5. Adam 1 Silver badge

    I don't see any reason why Russia would have jumped air gaps to pwn power utilities.

  6. Anonymous Coward
    Anonymous Coward

    Air-Gapped or not?

    Quote: "...special access into the utilities' networks..."

    Keyword here: "networks". So were these "networks" air-gapped....or not? I think we should be told, and a bit more clearly than this report manages.

  7. Prst. V.Jeltz Silver badge

    wtf is an Air GAP

    I think there needs to be a discussion on the meaning of "Air Gapped"

    The last article throwing that phrase around seemed to imply some malware had achieved magic powers , and caused more confusion than it enlightened - and that was malware that didnt need to phone home. This hack apparently does , if the russians want to "throw switches" , so it navigates the "air gap" at will , not just once.

    I think what we are learning here is that very few systems are indeed "Air gapped" . Were these power companies claiming that?

    1. Steve Evans

      Re: wtf is an Air GAP

      Indeed. A true air-gapped network will have no physical or ethereal (wifi) connection other networks i.e. the outside world.

      Although there have been a couple of clever proof of concept ways to breach this (acoustic for example), they always initially require physical access to the "gapped" network (or components of) to install required components (malware). You can't get roll up and access a gapped network unless it has already been compromised.

      A true air-gapped network can only transfer data to and from another network via physical media transfer.

      1. stiine Bronze badge

        Re: wtf is an Air GAP

        Like Stuxnet? I've heard the phrase 'what goes around comes around' before. Let me know when its appropriate to use it.

        1. DCFusor Silver badge

          Re: wtf is an Air GAP

          Stuxnet only needed to work in one direction, it needed no command and control and it didn't need to send any data back. The perp could find out it worked via the failure and reorder rate of centrifuges and other info likely to leak out.

          It's a different case.

          Now, what goes around DOES come around, sooner or later. Why are they in such a panic? Even if it isn't true just now (likely) then, well, later...

          And they need to whip up fear to keep their jobs. HL Mencken had a few tasty quotes on that one.

          1. tom dial Silver badge

            Re: wtf is an Air GAP

            Have another upvote for the Mencken reference. Too many people haven't read Mencken, or don't even know of him and think this sort of thing is new and different when it really is only different and only in detail.

      2. Anonymous Coward
        Anonymous Coward

        Re: wtf is an Air GAP

        "A true air-gapped network"

        OFFS, saying this is as bad as those Interns looking for the Stand Alone Internet

        Terminals and this Industry calling itself the Cloud. You've marketed away your security.

        Like it matters anyway since China and the CIA has backdoored every Router and Switch so....

  8. Anonymous Coward
    Anonymous Coward

    Is this a cover up for what the DHS has been doing for the past few years because they fear they have been found out?

    The DHS piece is far too high on speculation and very low on actual detail.

    1. thames

      The usual pattern for this sort of thing is that it starts when the US do this to someone else. The US counter-intelligence department then find out what their colleges on the floor above have been up to and crap their pants over the thought that someone might do the same to them. They then stage a series of leaks into the press that someone else has been doing it to them in an effort to whip up enough publicity to spur the industry into taking some preventive measures.

      Prior to the news of what the Americans did to Iran with Stuxnet, there was a long series of "confidential intelligence briefings" to selected newspapers and politicians about how US utilities may be vulnerable to being hacked. A demonstration using a specially set up diesel generator (simulating a power plant) was conducted which was supposed to show how SCADA systems could be infiltrated.

      The utility industry just shrugged it off, as they weren't seeing any of this in practice. And then Stuxnet hit the news and we saw that it had done exactly the sort of SCADA infiltration that the Americans had claimed was the threat to US utilities.

      And then there was the big campaign using the same PR techniques over how Chinese IT gear might have back doors in it. Nobody could find these back doors, but we were assured they might be there and it was a huge national security risk. And then it turned out that the American NSA was putting back doors in Cisco kit.

      I could go on with more examples, but the pattern follows a well-worn groove by now. The US hacks someone else, they crap themselves over the thought that someone might do the same to them, they start a propaganda campaign via the channel of suitably compliant major news media to whom they give an "exclusive" in return for not asking the wrong sort of questions, and industry is left to wonder "WTF?" because the story is full of holes due to so many details being held back because of course the US doesn't want the target they had actually hacked to find out what had been done.

      To address the story in particular, very likely the "air gapped" systems aren't actually air gapped. The utility has an "air gap" policy, but an exception was made for remote vendor support. The vendor isn't air gapped because they're too small to have a dedicated IT security team who could plan such a thing. And true "air gapping" probably isn't practical to begin with because the vendors are software developers who need to get software updates from Microsoft and their PCs need to connect to the Internet on a regular basis to validate software licenses, etc., etc.

      And if software updates from the vendors to the utilities aren't conducted on a timely basis, ordinary bugs can crash the electric network just as surely as malicious action could.

      Genuine security is probably possible, but it would require a complete overhaul of the industry and the relationships with vendors and the software development environments they use, and that simply isn't going to happen any time soon.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019